Flipper: Rowhammer on Steroids

Abstract

The density of memory cells in modern DRAM is so high that frequently accessing a memory row can flip bits in nearby rows. That effect is called Rowhammer, and an attacker can exploit this phenomenon to flip bits by rapidly accessing the contents of nearby memory rows. In recent years, researchers have developed sophisticated exploits based on this vulnerability, which enable privilege escalation on desktop computers, mobile devices, and even cloud systems without requiring any software vulnerability. However, rows are not equally vulnerable to Rowhammer. Therefore, an attacker has to massage the memory, for instance, with Page Table Entry (PTE) spraying, to increase the chance of successful exploitation. More bit flips mean the attacks become easier and faster to conduct. 

In this paper, we present Flipper, a Rowhammer amplification attack against DDR3, consisting of two components: cmpIST exploits the cmpsb and repe x86 instructions to get DRAM access with higher frequency. cmpP AR exploits the effect of hammering in multiple threads, which increases the number of bit flips found in a given time, as shown in previous work. As a result, we can increase the number of bit flips by a factor of 830 on the measured devices, even on systems featuring mitigation techniques, without using administrative privileges. We evaluate our technique on six DDR3 DIMMs. Although DDR3 memory has been superseded by DDR4 and DDR5 memory technologies, it is still widely used in devices that do not require frequent replacement, such as projectors, smart displays, servers, embedded devices, routers, and printers.

Mehr zum Titel